The future of antivirus software revealed

Is signature-based software here to stay?

By Michael Fitzgerald | 03 May 08

What does the future hold for signature-based antivirus? We've got some expert opinions on the subject.

Antivirus software makes Greg Shipley so mad he has to laugh.

"The relationship between signature-based antivirus companies and the virus writers is almost comical. One releases something and then the other reacts, and they go back and forth. It's a silly little arms race that has no end."

Shipley, CTO at Neohapsis, a security consultancy in Chicago, says the worst part is that the arms race isn't helpful either to him or his clients.

"I want to get off of signature-based antivirus as rapidly as possible. I think it's a broken model and I think it's an incredible CPU hog."

The question is, where should he go? Antivirus as an industry has modeled itself on the human immune system, which slaps a label on things such as viruses so it knows to attack them when it sees that same label, or signature, again.

Signature-based antivirus has moved well beyond that simple type of signature usage (although at the beginning, it did look for specific lines of code). In its current, more sophisticated form, it dominates the market for security software, despite some obvious limitations.

You don't use signature-based AV to stop data leakage, for instance, although many kinds of malware are designed to siphon data out of companies.

The number of malware signatures tracked by security software company F-Secure doubled in 2007, and while you might cynically expect such a company to say there's more malware out there, 2007's total doubled the number of signatures F-Secure had built up over the previous 20 years.

Even before 2007, there were plenty of people besides Shipley arguing that antivirus was an industry in trouble. In fact, in 2006, Robin Bloor, an analyst at Hurwitz & Associates, penned a report titled 'Anti-virus is dead'.

He argued that malware exists only because antivirus software exists, and said that antivirus software was doomed to be replaced by new forms of software, which he calls application control, or software authentication tools. Such tools whitelist the software we use and won't run anything else without the user's explicit permission.

Antivirus firms think their death is greatly exaggerated, thank you very much, even those that aren't overly reliant on signatures, such as BitDefender, which says that signature-based techniques account for only 20 percent of the malware it catches, PC Tools and DriveSentry.

"Signatures aren't dead, you need them," says Bogdan Dumitru, chief technology officer of BitDefender, which uses behavioural targeting techniques to stop the remainder of attacks. Its main research focus is to develop an 'undo' feature that will let users hit by malware reverse its effects. BitDefender hopes to release this feature this year.

Meanwhile, Bit9, the application white-listing company highlighted in Bloor's report, uses antivirus software to help build its database - 22 kinds of antivirus software, in fact.

In November 2007, Bit9 announced a deal to give access to this database to security software maker Kaspersky Lab. Bit9 officials said that the database will help Kaspersky check new signatures to limit false positives.

It's also true that antivirus makers continue to sell billions of pounds worth of software, despite Bloor's proclamation. Bloor, though, says that "the technique of protecting PCs using virus signatures is now on the wane", and rattles off a list of whitelisting companies offering software authentication tools, not just Bit9, but also companies such as Lumension (formerly SecureWave), Savant Protection, Computer Associates and AppSense.

And he noted the Kaspersky deal and Apple's use of whitelisting to protect the iPhone.